secure-push-check 1.0.0 → 2.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-push-check",
-  "version": "1.0.0",
+  "version": "2.0.0",
   "description": "Production-ready CLI that scans local Git repositories for security risks before push.",
   "type": "module",
   "main": "src/index.js",
@@ -28,14 +28,7 @@
     "git",
     "cli",
     "secrets",
-    "audit",
-    "pre-push"
+    "audit"
   ],
-  "license": "MIT",
-  "dependencies": {
-    "@babel/parser": "^7.27.7",
-    "chalk": "^5.4.1",
-    "commander": "^12.1.0",
-    "fast-glob": "^3.3.3"
-  }
+  "license": "MIT"
 }

package/src/cli.js

@@ -1,5 +1,4 @@
-import chalk from "chalk";
-import { Command } from "commander";
+import { parseArgs } from "node:util";
 import {
   TOOL_VERSION,
   installPrePushHook,
@@ -7,6 +6,28 @@ import {
   runScan
 } from "./index.js";
 
+// ANSI color codes for terminal output
+const ansi = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  red: "\x1b[31m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  blue: "\x1b[34m",
+  cyan: "\x1b[36m",
+  gray: "\x1b[90m",
+  orange: "\x1b[38;5;214m"
+};
+
+/**
+ * @param {string} text
+ * @param {...string} codes
+ * @returns {string}
+ */
+function colorize(text, ...codes) {
+  return `${codes.join("")}${text}${ansi.reset}`;
+}
+
 /**
  * @param {string} severity
  * @returns {(text: string) => string}
@@ -14,15 +35,15 @@ import {
 function severityColor(severity) {
   switch (normalizeSeverity(severity)) {
     case "critical":
-      return chalk.red.bold;
+      return (text) => colorize(text, ansi.red, ansi.bold);
     case "high":
-      return chalk.yellow.bold;
+      return (text) => colorize(text, ansi.yellow, ansi.bold);
     case "moderate":
-      return chalk.hex("#f59e0b");
+      return (text) => colorize(text, ansi.orange);
     case "low":
-      return chalk.blue;
+      return (text) => colorize(text, ansi.blue);
     default:
-      return chalk.white;
+      return (text) => text;
   }
 }
 
@@ -63,11 +84,11 @@ function renderHumanReport(result) {
   const passedChecks = result.checks.filter((check) => check.status === "passed");
   const skippedChecks = result.checks.filter((check) => check.status === "skipped");
 
-  console.log(chalk.cyan.bold(`\n🔍 Secure Push Check v${result.version}\n`));
+  console.log(colorize(`\n🔍 Secure Push Check v${result.version}\n`, ansi.cyan, ansi.bold));
 
-  console.log(chalk.red.bold("❌ Critical Issues"));
+  console.log(colorize("❌ Critical Issues", ansi.red, ansi.bold));
   if (critical.length === 0) {
-    console.log(chalk.green("  ✅ None"));
+    console.log(colorize("  ✅ None", ansi.green));
   } else {
     for (const finding of critical) {
       const color = severityColor(finding.severity);
@@ -78,9 +99,9 @@ function renderHumanReport(result) {
     }
   }
 
-  console.log(chalk.yellow.bold("\n⚠️ Warnings"));
+  console.log(colorize("\n⚠️ Warnings", ansi.yellow, ansi.bold));
   if (warnings.length === 0) {
-    console.log(chalk.green("  ✅ None"));
+    console.log(colorize("  ✅ None", ansi.green));
   } else {
     for (const finding of warnings) {
       const color = severityColor(finding.severity);
@@ -91,31 +112,32 @@ function renderHumanReport(result) {
     }
   }
 
-  console.log(chalk.green.bold("\n✅ Passed Checks"));
+  console.log(colorize("\n✅ Passed Checks", ansi.green, ansi.bold));
   if (passedChecks.length === 0) {
-    console.log(chalk.yellow("  - None"));
+    console.log(colorize("  - None", ansi.yellow));
   } else {
     for (const check of passedChecks) {
-      console.log(chalk.green(`  - ${check.name}`));
+      console.log(colorize(`  - ${check.name}`, ansi.green));
     }
   }
 
   if (skippedChecks.length > 0) {
-    console.log(chalk.gray.bold("\nℹ️ Skipped Checks"));
+    console.log(colorize("\nℹ️ Skipped Checks", ansi.gray, ansi.bold));
     for (const check of skippedChecks) {
-      console.log(chalk.gray(`  - ${check.name}`));
+      console.log(colorize(`  - ${check.name}`, ansi.gray));
     }
   }
 
   console.log(
-    chalk.bold(
-      `\nSummary: critical=${result.summary.critical}, high=${result.summary.high}, moderate=${result.summary.moderate}, total=${result.summary.totalFindings}`
+    colorize(
+      `\nSummary: critical=${result.summary.critical}, high=${result.summary.high}, moderate=${result.summary.moderate}, total=${result.summary.totalFindings}`,
+      ansi.bold
     )
   );
   console.log(
     result.summary.blocked
-      ? chalk.red(`Result: BLOCKED (threshold: ${result.summary.severityThreshold})`)
-      : chalk.green(`Result: SAFE (threshold: ${result.summary.severityThreshold})`)
+      ? colorize(`Result: BLOCKED (threshold: ${result.summary.severityThreshold})`, ansi.red)
+      : colorize(`Result: SAFE (threshold: ${result.summary.severityThreshold})`, ansi.green)
   );
 }
 
@@ -137,49 +159,77 @@ async function executeScan(options) {
   process.exitCode = result.summary.blocked ? 1 : 0;
 }
 
-const program = new Command();
-program
-  .name("secure-push-check")
-  .description("Scan local Git repositories for security risks before pushing.")
-  .version(TOOL_VERSION)
-  .showHelpAfterError();
-
-program
-  .command("scan")
-  .description("Run all checks and print a colorized report.")
-  .option("--json", "Output report as JSON.")
-  .option("--cwd <path>", "Working directory to scan.", process.cwd())
-  .action(async (options) => {
-    await executeScan({
-      json: Boolean(options.json),
-      cwd: options.cwd
-    });
-  });
+function printHelp() {
+  console.log(`
+${colorize("secure-push-check", ansi.cyan, ansi.bold)} v${TOOL_VERSION}
+Scan local Git repositories for security risks before pushing.
+
+${colorize("Usage:", ansi.bold)}
+  secure-push-check <command> [options]
+
+${colorize("Commands:", ansi.bold)}
+  scan      Run all checks and print a colorized report
+  report    Run all checks and generate a report (alias for scan)
+  install   Install secure-push-check as a pre-push Git hook
+
+${colorize("Options:", ansi.bold)}
+  --json    Output report as JSON (scan/report only)
+  --cwd     Working directory to scan (default: current directory)
+  --help    Show this help message
+  --version Show version number
+`);
+}
 
-program
-  .command("report")
-  .description("Run all checks and generate a report.")
-  .option("--json", "Output report as JSON.")
-  .option("--cwd <path>", "Working directory to scan.", process.cwd())
-  .action(async (options) => {
-    await executeScan({
-      json: Boolean(options.json),
-      cwd: options.cwd
-    });
+async function main() {
+  const { values, positionals } = parseArgs({
+    args: process.argv.slice(2),
+    options: {
+      json: { type: "boolean", default: false },
+      cwd: { type: "string", default: process.cwd() },
+      help: { type: "boolean", short: "h", default: false },
+      version: { type: "boolean", short: "v", default: false }
+    },
+    allowPositionals: true,
+    strict: false
   });
 
-program
-  .command("install")
-  .description("Install secure-push-check as a pre-push Git hook.")
-  .option("--cwd <path>", "Repository path where hook should be installed.", process.cwd())
-  .action(async (options) => {
-    const result = await installPrePushHook({ cwd: options.cwd });
-    console.log(chalk.green(`Pre-push hook ${result.operation} at ${result.hookPath}`));
-  });
+  if (values.version) {
+    console.log(TOOL_VERSION);
+    return;
+  }
+
+  if (values.help || positionals.length === 0) {
+    printHelp();
+    return;
+  }
+
+  const command = positionals[0];
+
+  try {
+    switch (command) {
+      case "scan":
+      case "report":
+        await executeScan({
+          json: Boolean(values.json),
+          cwd: values.cwd
+        });
+        break;
+
+      case "install": {
+        const result = await installPrePushHook({ cwd: values.cwd });
+        console.log(colorize(`Pre-push hook ${result.operation} at ${result.hookPath}`, ansi.green));
+        break;
+      }
 
-try {
-  await program.parseAsync(process.argv);
-} catch (error) {
-  console.error(chalk.red(`Error: ${error.message}`));
-  process.exitCode = 1;
+      default:
+        console.error(colorize(`Unknown command: ${command}`, ansi.red));
+        printHelp();
+        process.exitCode = 1;
+    }
+  } catch (error) {
+    console.error(colorize(`Error: ${error.message}`, ansi.red));
+    process.exitCode = 1;
+  }
 }
+
+main();

package/src/scanners/credentials.js

@@ -1,7 +1,6 @@
 import path from "node:path";
 import { promises as fs } from "node:fs";
-import fg from "fast-glob";
-import { parse } from "@babel/parser";
+import { fg } from "../utils/glob.js";
 
 const DEFAULT_IGNORES = [
   "**/.git/**",
@@ -12,7 +11,12 @@ const DEFAULT_IGNORES = [
 ];
 
 const CODE_GLOBS = ["**/*.js", "**/*.jsx", "**/*.ts", "**/*.tsx", "**/*.mjs", "**/*.cjs"];
-const CREDENTIAL_VAR_PATTERN = /(password|passwd|pwd|token|secret|api[_-]?key|access[_-]?token)/i;
+
+// Matches: const password = "value", const apiKey = 'value', const secret = `value`
+const CREDENTIAL_PATTERN = /\b(?:const|let|var)\s+(password|passwd|pwd|token|secret|api[_-]?key|access[_-]?token)\s*=\s*(['"`])([^'"`\n]{4,})\2/gi;
+
+// Matches object properties: password: "value", apiKey: 'value'
+const OBJECT_CREDENTIAL_PATTERN = /\b(password|passwd|pwd|token|secret|api[_-]?key|access[_-]?token)\s*:\s*(['"`])([^'"`\n]{4,})\2/gi;
 
 /**
  * @param {string} value
@@ -55,55 +59,38 @@ function compileAllowMatchers(allowPatterns) {
 }
 
 /**
- * @param {unknown} node
- * @returns {string | null}
- */
-function getStaticStringValue(node) {
-  if (!node || typeof node !== "object") {
-    return null;
-  }
-
-  if (node.type === "StringLiteral" && typeof node.value === "string") {
-    return node.value;
-  }
-
-  if (node.type === "TemplateLiteral" && Array.isArray(node.expressions) && node.expressions.length === 0) {
-    return node.quasis.map((item) => item.value.cooked || "").join("");
-  }
-
-  return null;
-}
-
-/**
- * @param {unknown} node
- * @param {(node: any) => void} visitor
- * @returns {void}
+ * Check if a value looks like a placeholder/template rather than a real secret.
+ * @param {string} value
+ * @returns {boolean}
  */
-function walk(node, visitor) {
-  if (!node || typeof node !== "object") {
-    return;
-  }
-
-  visitor(node);
-
-  for (const key of Object.keys(node)) {
-    if (key === "loc" || key === "start" || key === "end") {
-      continue;
-    }
-
-    const value = node[key];
-    if (Array.isArray(value)) {
-      for (const child of value) {
-        walk(child, visitor);
-      }
-    } else if (value && typeof value === "object") {
-      walk(value, visitor);
-    }
-  }
+function isPlaceholder(value) {
+  const lowerValue = value.toLowerCase();
+
+  // Common placeholder patterns
+  const placeholders = [
+    "your_",
+    "your-",
+    "<your",
+    "${",
+    "{{",
+    "process.env",
+    "env.",
+    "xxx",
+    "placeholder",
+    "example",
+    "changeme",
+    "todo",
+    "fixme",
+    "replace",
+    "insert",
+    "fill"
+  ];
+
+  return placeholders.some(p => lowerValue.includes(p));
 }
 
 /**
- * Parse JS/TS files and detect hard-coded credentials in const declarations.
+ * Parse JS/TS files and detect hard-coded credentials using regex patterns.
  *
  * @param {object} options
  * @param {string} options.repoRoot
@@ -121,8 +108,6 @@ export async function scanHardcodedCredentials(options = {}) {
   const files = await fg(CODE_GLOBS, {
     cwd: repoRoot,
     dot: true,
-    onlyFiles: true,
-    unique: true,
     ignore: [...DEFAULT_IGNORES, ...ignoreGlobs]
   });
 
@@ -145,36 +130,44 @@ export async function scanHardcodedCredentials(options = {}) {
       continue;
     }
 
-    let ast;
-    try {
-      ast = parse(source, {
-        sourceType: "unambiguous",
-        errorRecovery: true,
-        plugins: ["typescript", "jsx", "classProperties", "decorators-legacy"]
-      });
-    } catch (error) {
-      findings.push({
-        check: "credentials",
-        severity: "moderate",
-        message: `Unable to parse source file for AST scan: ${error.message}`,
-        file: relativePath
-      });
-      continue;
-    }
+    const lines = source.split(/\r?\n/);
 
-    walk(ast, (node) => {
-      if (node.type !== "VariableDeclaration" || node.kind !== "const") {
-        return;
-      }
+    for (let lineIndex = 0; lineIndex < lines.length; lineIndex++) {
+      const line = lines[lineIndex];
+
+      // Check variable assignments
+      CREDENTIAL_PATTERN.lastIndex = 0;
+      let match;
+      while ((match = CREDENTIAL_PATTERN.exec(line)) !== null) {
+        const varName = match[1];
+        const value = match[3];
+
+        if (isPlaceholder(value)) {
+          continue;
+        }
 
-      for (const declaration of node.declarations || []) {
-        const variableName = declaration?.id?.type === "Identifier" ? declaration.id.name : null;
-        if (!variableName || !CREDENTIAL_VAR_PATTERN.test(variableName)) {
+        const isAllowed = allowMatchers.some((matcher) => matcher.test(value));
+        if (isAllowed) {
           continue;
         }
 
-        const value = getStaticStringValue(declaration.init);
-        if (!value) {
+        findings.push({
+          check: "credentials",
+          severity: "high",
+          message: `Hardcoded credential in variable '${varName}'`,
+          file: relativePath,
+          line: lineIndex + 1,
+          column: match.index + 1
+        });
+      }
+
+      // Check object properties
+      OBJECT_CREDENTIAL_PATTERN.lastIndex = 0;
+      while ((match = OBJECT_CREDENTIAL_PATTERN.exec(line)) !== null) {
+        const propName = match[1];
+        const value = match[3];
+
+        if (isPlaceholder(value)) {
           continue;
         }
 
@@ -186,13 +179,13 @@ export async function scanHardcodedCredentials(options = {}) {
         findings.push({
           check: "credentials",
           severity: "high",
-          message: `Hardcoded credential in const '${variableName}'`,
+          message: `Hardcoded credential in property '${propName}'`,
           file: relativePath,
-          line: declaration.loc?.start?.line,
-          column: declaration.loc?.start?.column ? declaration.loc.start.column + 1 : 1
+          line: lineIndex + 1,
+          column: match.index + 1
         });
       }
-    });
+    }
   }
 
   return {

package/src/scanners/files.js

@@ -1,6 +1,6 @@
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
-import fg from "fast-glob";
+import { fg } from "../utils/glob.js";
 
 const execFileAsync = promisify(execFile);
 
@@ -56,8 +56,6 @@ export async function scanSensitiveFiles(options = {}) {
   const matches = await fg(SENSITIVE_FILE_GLOBS, {
     cwd: repoRoot,
     dot: true,
-    onlyFiles: true,
-    unique: true,
     ignore: [...DEFAULT_IGNORES, ...ignoreGlobs]
   });
 

package/src/scanners/secrets.js

@@ -1,6 +1,6 @@
 import path from "node:path";
 import { promises as fs } from "node:fs";
-import fg from "fast-glob";
+import { fg } from "../utils/glob.js";
 
 const DEFAULT_IGNORES = [
   "**/.git/**",
@@ -223,8 +223,6 @@ export async function scanSecrets(options = {}) {
   const files = await fg(["**/*"], {
     cwd: repoRoot,
     dot: true,
-    onlyFiles: true,
-    unique: true,
     ignore: [...DEFAULT_IGNORES, ...ignoreGlobs]
   });
 

package/src/utils/glob.js

@@ -0,0 +1,141 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+
+/**
+ * Convert a simple glob pattern to a RegExp.
+ * Supports: *, **, ?
+ * @param {string} pattern
+ * @returns {RegExp}
+ */
+function globToRegex(pattern) {
+    let regex = "";
+    let i = 0;
+
+    while (i < pattern.length) {
+        const char = pattern[i];
+
+        if (char === "*") {
+            if (pattern[i + 1] === "*") {
+                // ** matches any path including separators
+                if (pattern[i + 2] === "/" || pattern[i + 2] === "\\") {
+                    regex += "(?:.*[\\/\\\\])?";
+                    i += 3;
+                } else {
+                    regex += ".*";
+                    i += 2;
+                }
+            } else {
+                // * matches anything except path separators
+                regex += "[^\\/\\\\]*";
+                i += 1;
+            }
+        } else if (char === "?") {
+            regex += "[^\\/\\\\]";
+            i += 1;
+        } else if (char === "/" || char === "\\") {
+            regex += "[\\/\\\\]";
+            i += 1;
+        } else if ("[]{}()+^$.|\\".includes(char)) {
+            regex += "\\" + char;
+            i += 1;
+        } else {
+            regex += char;
+            i += 1;
+        }
+    }
+
+    return new RegExp(`^${regex}$`, "i");
+}
+
+/**
+ * Check if a path matches any of the given glob patterns.
+ * @param {string} filePath - Normalized forward-slash path
+ * @param {string[]} patterns
+ * @returns {boolean}
+ */
+function matchesAny(filePath, patterns) {
+    for (const pattern of patterns) {
+        const regex = globToRegex(pattern);
+        if (regex.test(filePath)) {
+            return true;
+        }
+    }
+    return false;
+}
+
+/**
+ * Recursively find files matching glob patterns.
+ * @param {object} options
+ * @param {string[]} options.patterns - Glob patterns to match
+ * @param {string} options.cwd - Base directory
+ * @param {string[]} [options.ignore] - Patterns to ignore
+ * @param {boolean} [options.dot] - Include dotfiles (default: false)
+ * @returns {Promise<string[]>} - Array of relative paths
+ */
+export async function glob(options) {
+    const { patterns, cwd, ignore = [], dot = false } = options;
+
+    const results = [];
+    const ignorePatterns = ignore.length > 0 ? ignore : [];
+
+    /**
+     * @param {string} dir - Current directory (relative to cwd)
+     */
+    async function traverse(dir) {
+        const fullDir = dir ? path.join(cwd, dir) : cwd;
+        let entries;
+
+        try {
+            entries = await fs.readdir(fullDir, { withFileTypes: true });
+        } catch {
+            return;
+        }
+
+        for (const entry of entries) {
+            const name = entry.name;
+
+            // Skip hidden files/dirs unless dot is enabled
+            if (!dot && name.startsWith(".")) {
+                continue;
+            }
+
+            const relativePath = dir ? `${dir}/${name}` : name;
+
+            // Check if should be ignored
+            if (matchesAny(relativePath, ignorePatterns)) {
+                continue;
+            }
+
+            if (entry.isDirectory()) {
+                // Check if directory path matches ignore (for patterns like **/node_modules/**)
+                const dirWithSlash = relativePath + "/";
+                if (!matchesAny(dirWithSlash, ignorePatterns)) {
+                    await traverse(relativePath);
+                }
+            } else if (entry.isFile()) {
+                // Check if file matches any of the include patterns
+                if (matchesAny(relativePath, patterns)) {
+                    results.push(relativePath);
+                }
+            }
+        }
+    }
+
+    await traverse("");
+    return results;
+}
+
+/**
+ * Convenience function matching fast-glob's API for easier migration.
+ * @param {string[]} patterns
+ * @param {object} options
+ * @returns {Promise<string[]>}
+ */
+export async function fg(patterns, options = {}) {
+    return glob({
+        patterns,
+        cwd: options.cwd || process.cwd(),
+        ignore: options.ignore || [],
+        dot: options.dot ?? false
+    });
+}